home *** CD-ROM | disk | FTP | other *** search
- BAT.Batalia3,Batalia4
-
- ---------------------------------------------------------------------------
- These are harmless nonmemory resident parasitic BAT viruses. They search
- for BAT files in the current directory, then infect them. While infecting a
- file the viruses run the ARJ archiver to the pack necessary files. If there
- is no ARJ.EXE file in PATH, the viruses fail to replicate themselves.
-
- The viruses contain two parts of code and data. The first part (the header)
- contains DOS commands:
-
- "Batalia3": "Batalia4":
-
- @echo off @echo off
- rem YYY rem BAT4
- arj x %0 -g½½b╤p▀ >nul arj x %0 >nul
- ren p Int call i
- call i del sg
- ren Int a.bat del i.bat
- echo on
- @call a
- @echo off
- del i.bat
- del a.bat
- del BATalia3
-
- The second part (the rest) is an ARJ archive. This archive contains the
- I.BAT file that is the main virus code and the additional files:
-
- "Batalia3": P, BATALIA3
- "Batalia4": SG
-
- The SG and BATALIA3 files contain several additional batch commands. The P
- file contains original code of infected BAT file (in case of "Batalia3"
- virus).
-
- So, any infected file contains the text strings (DOS commands) and the
- binary data (ARJ archive).
-
- When executed, the virus runs the ARJ archiver, extracts the files I.BAT
- and SG and runs I.BAT. This batch file searches for not infected BAT files
- in the current directory and infects them.
-
- While infecting, the "Batalia4" virus appends its code to the end of files
- and does not modify the original file contents. "Batalia3" saves original
- BAT file to ARJ archive (file P) and overwrites it. As a result the length
- of a file infected by "Batalia3" may be less than before infection.
-
